Taking patch management to the next level: Shavlik HFNetChkPro review
Over the past 10 years, I have worked as a system administrator for several corporations, and patch management, an essential part of my job, used to be a real nightmare for me. Back in 95, windows update did not exist, and people didn't really patch their Oses; they only installed service packs once or twice per year and prayed really hard while they were doing it. Oh those were the days... the days where my sanity was regularly threatening to pour out of my ears. Scan status: Once you hit "begin scan", this window popup. It displays the current situation of your scan. Scan Summary: This screen displays the results of the scan. How many computers were scanned? How many patches/service packs are missing? Are they critical? Scan Overview : From this window, you see the detail of all computers that were scanned: What patches/Service packs are missing, which one are already installed, etc. You can view the results by computer or by patches.
Then in 1997-98, windows update appeared and saved us a lot of time. Before then, sneakerware (the art of running around to install software) was pretty much the only way to deploy software and updates to a corporate network, especially in small companies. Most of the time, WU (windows update) saved us from the job of looking for what patches were missing from most systems because WU was autodetecting them. As the years were passing, my corporate environment changed and became larger, up to a point where I couldn't afford to walk around and install every patches with WU. Automatic update would have done the trick, but the main problem with it is that it couldn't give me any control over the deployment process of my patches.
At that point, I had several choices: Free solutions or other more expensive ones like SMS (system management server).
I reviewed a couple of them and ended up buying a marvelous product from Shavlik named HFNetChkPro. The product isn't free, but it is not expensive at all considering what it can do. If anyone wants a quotation, I would advise that you guys ask a reseller for it, they always undercut the price that shavlik is offering on their website.
I did try free solutions like Microsoft SUS (Now WUS), but I thought that these products lacked some functionalities (Bad reporting features, less products supported, more complicated installation, etc..).
After A while, I read about Shavlik's product from a tech. site, and tried it for a week. I was immediately charmed by the speed, ease of use and functionalities of it. If you read about HFNetChkPro on IT sites, you'll end up on positive reviews 90% of the time.
The product allows you to automate the scanning of the most widely used platforms and products including Windows NT, XP, 2000, Windows Server 2003, Exchange, SQL Server, Outlook, Microsoft Office, Java Virtual Machine and non-Microsoft product support such as WinZip, Apache, acrobat reader, Real player and more. It has an Intuitive, Drag-n-Drop interface and some GREAT reporting features.
After having gone through the manual patch testing procedure using VMWARE or MS VirtualPC (Never deploy patches before trying them on a test environment), I can have a 200 systems LAN patched in a couple of hours, without the users knowing about it. Maybe their machines will slow down a bit, but not by much. When they reboot the following morning, all the computers will be patched, and I'll by an happy guy. The only time I had to deploy off the business hours was when XP SP2 was released. You guys wonder how I did it? Here's how: I Scheduled a WakeOnLAN script to boot up all the computers in the domain, and scheduled my HFNetChkPro 1 hour later to scan and deploy SP2 automatically. It worked like a charm. The only problem I had is that the following morning, 2 of my XP boxes were not booting up properly, but that was a really small inconvenience considering the time I saved.
How does it work? Let me show you quickly. (I took the screenshots off Deerfield.com website since I didn't have access to the application at the moment I was writing the article). You can click on all screenshots to see a bigger version of them
Main interface: This is where everything starts. From this screen, you can scan as many computers as you want: one, a couple, or all of your systems. You can scan them by name, IP addresses or by Domain. It is also possible to create custom scan groups to help you target the right systems.
Scan status: Once you hit "begin scan", this window popup. It displays the current situation of your scan.
Scan Summary: This screen displays the results of the scan. How many computers were scanned? How many patches/service packs are missing? Are they critical?
Scan Overview : From this window, you see the detail of all computers that were scanned: What patches/Service packs are missing, which one are already installed, etc. You can view the results by computer or by patches.
- By computer: What patches are missing from 1 or multiple computers.
- By patches: What computer are missing this particular patch.
Once you are finished reviewing the results, you can select 1 or multiple computers, right click and select "deploy all missing patches". At this point you will be offered the choice of a deployment template. You can use the default one, or create one yourself. Let's say you do not want your computers to reboot after the deployment. You would have to modify the default template, and select "Do not reboot computers after deployment". After this, save the template under another name, and use this one instead.
Patch Pusher: This little application appears when the deployment process is finished. It displays the status of the patches on all scanned computers. What is the current situation? Was the patch correctly installed or did it fail?
Easy isn't it? It is as easy as it looks. The only thing you need to run this application properly is an administrative account that has admin access all over the domain. You can also use alternate credentials if you are scanning computers with stand-alone security.
There are many other products that offers the same kind of functionalities. I did not test most of them because everyone I knew told me I could not go wrong with HFNetChkPro. They were right. The product did everything I needed on the first time I tried it. It never failed once in the 2 years I've been using it! I've tested the product extensively, checking installed patches manually on a group of test machine, using MBSA to see if the results would be the same, and everything worked out just fine.
Just a last thought about patching servers: ALWAYS patch your servers manually. Always reboot them before and after installing patches. You'll be saving yourself alot of trouble if you are taking those precautions. I never was in a situation where I had to manage 50+ servers. I'd be probably handling the situation differently then, but if you are in a small to medium business environment, follow my advice.
If you are interested in comparative reviews, please consult the PatchManagement.org website. PatchManagement.org Is the industry's first mailing list dedicated to the discussion of patch management. Whether it's a Linux operating system patch or a Microsoft application hotfix, this is the place to find more information about it. The reviews on it are pretty old and do not cover the most recent version of most products, but it is a very good start.
This work is licensed under a Creative Commons Attribution-NoDerivs 2.5 License.
Update: PatchManagement.org added a new listing of all the patch management vendors who offer products that do both patch assessment and remediation. The list of vendors on the website may be useful for folks who are beginning the patch management product evaluation phase.
Update #2: If you want to learn more about patching and patch management in general, you should listen to this episode of the SBS Show featuring Susan Bradley. Susan is a wacko SBSer with so many certifications that it makes my head hurt just thinking about them. She's also someone who really knows her stuff when talking about patch management. You can read what she has to say on her blog.